HACKERS have been targeting a vulnerability in discontinued TP-Link routers for a year, with SecurityWeek reporting no successful payload execution to date. The flaw, tracked as CVE-2023-33538 and with a CVSS of 8.8, is an authenticated command injection vulnerability caused by lack of sanitisation of the ssid1 parameter in HTTP GET requests, according to Palo Alto Networks.
The weakness affects TP-Link’s TL-WR940N v2 and v4, TL-WR740N v1 and v2, and TL-WR841N v8 and v10 router models, and proof-of-concept exploit code has been publicly available for almost three years. In June last year, the US Cybersecurity and Infrastructure Security Agency added the bug to its Known Exploited Vulnerabilities catalog, warning that it affects end-of-life and end-of-service devices and urging agencies to discontinue them immediately.
Palo Alto Networks’ investigation has linked exploitation attempts to Mirai-based payloads that would turn infected devices into HTTP servers delivering malware to other devices, though attackers have made errors in their exploits. Successful exploitation could lead to denial-of-service or persistent access to the vulnerable devices.